Aqua Launches Container Security Platform

The newly renamed company says finding vulnerabilities in containers isn't just about looking for known issues.

The emerging market for application containers is a very fluid one, which is one of the reasons why Scalock is now rebranding itself as Aqua Security. After months in beta, the Aqua Container Security platform became generally available on May 18, providing another option to organizations looking to secure container deployments.
"As is sometimes the case with startups, the name we chose initially ended up not fitting what we aim to do," Amir Jerbi, co-founder and CTO of Aqua Security, told eWEEK about the name change from Scalock. "Since we're in a place where DevOps meets security, we wanted something more fluid, literally."
Aqua Security has raised a total of $4.35 million since the company was started in 2015. The container security landscape has evolved rapidly over the course of the last year, with CoreOS announcing its Clair container security technology, Docker Inc. announcing its Docker Security Scanning and Twistlock debuting its container security approach. Aqua's goal is to do more than just scan application containers looking for known vulnerabilities.
Jerbi explained that Aqua's image vulnerability scanning is like Docker's approach in that Aqua looks at all the binaries in the image, including programming language components. In contrast with Docker though, Aqua supports not only Docker registries but also Amazon ECS, CoreOS Quay, JFrog Artifactory and private registries, he said.

"We also offer a free SaaS scanner called Peekr that lets developers scan images in public or private registries," Jerbi said. "It's something that we will continue to develop and enhance as the market evolves."

Looking beyond just application vulnerability scanning, Aqua also provides a degree of runtime protections. Aqua uses a layered security approach to keep containers safe, according to Jerbi. The layered approach starts with running the container application images in learning mode, usually during functional testing. In the learning mode, Aqua examines a container's behavior in the application context and uses that to set granular runtime parameters, based on which files, executables and network connections a container is using.
"On top of that, we provide a user access control policy that is specific to a container or application," he said. "On top of that, we apply network controls by application and, finally, we also monitor for malicious behaviors like port scanning, socket bombing, etc."
As such, the Aqua platform combines declarative and behavioral methods with learning as part of a layered approach to secure containers. Another key part of the overall container security landscape are existing controls in a host Linux operating system.
"Where it makes sense, we leverage the native Linux security controls—for example, we use netfilter and cgroup to restrict container activity," Jerbi said. "We fill the gaps where more granular container-specific controls are needed with our own technology, since Linux security controls work at the operating systems resources level and don't understand the container entity."
Aqua is part of the Linux Foundation's Open Container Initiative (OCI), which is aiming to define standards for containers. Jerbi noted that OCI is still in its early days, but he said it's important for the industry as a whole to agree on standards and interoperable technologies.
"Docker the container format is obviously the most popular today, but we are seeing others in use," Jerbi said. "Currently, we support Docker, but we are planning to support runc-compliant engines."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.